So, I've been getting some paid pentesting jobs, and I need to decide between buying a Nessus license or using OpenVAS. I'd prefer not to spend the extra money, but I don't have any experience with OpenVAS. Is it just as good as Nessus or should I suck it up and just buy the license? I primarily do web pentesting, and use Nessus to find configuration issues and software vulnerabilities on a web server before I begin testing the actual site.

Also there are a lot of OpenVAS tutorials out there. If anyone has some favorites please post the links.

You know that article is so useful. I've spent the past 30 mins or so looking at the vulnerabilities and researching ones I am not familiar with. I know this is really the point of metasploitable, but its still a great experience. I havent gotten to the nexpose and openVAS reports yet, but im looking forward to seeing the differences.

True, but I would guess that many people use nessus because of its name recognition. How many people are taught about OpenVAS when they study for their CEH (I assume it would be mentioned in the GPEN). They work at one company that uses a product, and only use another when they have to. I recommended Nexpose to my company (well I informed them of its existence, and gave my opinion of it.), but they didnt change anything.

My personal experience is that the paid vulnerability scanners typically provide more timely and accurate signatures. Unless OpenVAS has changed dramatically since I last used it, I think it would be negligent to use it professionally.

Nessus seems to provide a good cost/benefit ratio. I'd probably use something else or add-on the security center if I was using it in-house, but for one-off assessments, I can do without a lot of extra features.

It's not a complete apples and to apples comparison as its not a 1:1 mapping of plugins to vulnerabilities but you get the idea.

If you are serious about doing VA work you really need Nessus Pro feed (or another commercial scanner) at a minimum. I'm of the mindset however that a really good pentester could make do with Nmap and if it's a webapp test all you really need is Zap/Burp and a browser. Vuln scanners are a crutch. I still use them, but sometimes I find myself spending more time weeding out false positives and second guessing what I knew already.

Last edited by tturner on Fri Oct 19, 2012 1:21 am, edited 1 time in total.

I can't comment on OpenVAS too much, got it running in a lab environment but haven't really used in anger.

Placing technical issues to one side, if you're providing a chargeable service some (rightly or wrongly, a debate for another day) will be more comfortable with a service backed up by a commercial organisation; and I have come across a handful of organisations that specifically disallow open source in their environment.

Given the relative low cost of a single Nessus license (compared to other commercial offerings) I'd suggest this may be the way to go in a commercial setting. The cost of a license can quickly be offset by picking up business from clients that otherwise wouldn't consider you.

tturner wrote:Vuln scanners are a crutch. I still use them, but sometimes I find myself spending more time weeding out false positives and second guessing what I knew already.

I don't rely on vuln scanners too much, but I do like to use them to get a sense of the overall focus of security of a client. If I run it and come up with 10 major issues, I know I might have to focus first on fixing simple things since it's most likely the case that the admin hasn't really viewed security as a priority. Kind of like running an antivirus scan, if it comes up with 40 viruses, i know it's going to be a pain to clean, but if it comes up with none that doesn't necessarily mean things are ok.

Last edited by Seen on Fri Oct 19, 2012 5:02 pm, edited 1 time in total.